Re: [Astlinux-users] How to route between Internal Interfaces? [RESOLVED]

Graham S. Jarvis Thu, 14 Oct 2010 01:09:02 -0700

Hello Lonnie,

This was a case of "take a deep breath" . . .
I was configuring the routing on the wrong network and pointing my PC at the
wrong DNS server, so there was no way I'd get across to the other network.
All is now as required.



As for
> Normally you would set:
>
> INTIP="192.168.7.1"
> INT2IP="192.168.207.1"
>
> as the internal interface gateways, . . .

I use an old network numbering "rule" that I've been using since I started with
IP networks:
Servers start at X.X.X.1 and the numbers increase
Gateways and Routers start at X.X.X.254 and decrease
Phones, Wireless access points, Printers, PC's etc. find themselves some space
in between, grouped nicely.

That means I know that these IP's are for gateways because they are so big.
[In fact I notice that "249" should be "251" - sometimes I don't follow my own
rules that exactly ;-)].


I'd still like to know the difference between TRUSTED_IF and IF_TRUSTS.


Many thanks for your help!

-Graham-




Lonnie Abelbeck wrote on 09/10/2010 23:42:
> Graham,
> 
> Normally you would set:
> 
> INTIP="192.168.7.1"
> INT2IP="192.168.207.1"
> 
> as the internal interface gateways, I see you have:
> 
> INTIP="192.168.7.250"
> INT2IP="192.168.207.249"
> 
> I'm not sure if that is the problem, but I would try that first.
> 
>> iPBX rc.conf.d # grep TRUST *
>> user.conf:TRUSTED_IF=""
>> user.conf:IF_TRUSTS="eth1 eth2"
> 
> Your probably added the user.conf entries, but forgot about them.
> 
> I would delete both the TRUSTED_IF and IF_TRUSTS lines in user.conf ( Network 
> tab -> {Edit User Variables} ).
> 
> Save-Settings and restart the firewall.  Though they shouldn't have caused 
> the problem.
> 
> Lonnie
> 
> 
> On Oct 9, 2010, at 2:57 PM, Graham S. Jarvis wrote:
> 
>> Hello Lonnie,
>>
>> Thanks for the quick reply.
>>
>> The reason I looked up the post from 2009 was because I _have_ ticked the box
>> for the firewall options "LAN to LAN" on the webGUI and this is what's in the
>> gui file:
>> iPBX rc.conf.d # grep ALLOWLANS *
>> gui.firewall.conf:ALLOWLANS="INTIF INT2IF"
>> iPBX rc.conf.d #
>>
>> and just to show that the interfaces are configured:
>> iPBX rc.conf.d # grep INT *
>> gui.firewall.conf:ALLOWLANS="INTIF INT2IF"
>> gui.network.conf:INTIF="eth1"
>> gui.network.conf:INTIP="192.168.7.250"
>> gui.network.conf:INTNM="255.255.255.0"
>> gui.network.conf:INT2IF="eth2"
>> gui.network.conf:INT2IP="192.168.207.249"
>> gui.network.conf:INT2NM="255.255.255.0"
>> gui.network.conf:INT3IF=""
>> gui.network.conf:INT3IP=""
>> gui.network.conf:INT3NM="255.255.255.0"
>> iPBX rc.conf.d #
>>
>>
>> I still don't get traffic from one lan to the other.
>> I have a net4801 ie 3 Ethernet (eth0, eth1, eth2)
>>> From iPBX (192.168.7.250) I can ping hosts on both networks.
>>> From a host on 192.168.7.0 I can ping INTIF (192.168.7.250) and INT2IF 
>>> (192.168.207.249)
>>> From a host on 192.168.207.0 I can _only_ ping INT2IF (192.168.207.249) and 
>>> not even 
>> 192.168.7.250
>>
>> I'm not so worried about traffic passing 207->7 in fact I'd like to block it.
>> But I need to access resources on the "207" network from the "7" network
>> (printers etc.)
>>
>> Any ideas?  I seem to be overlooking something . . .
>>
>> -Graham-
>>
>>
>> PS: What's the difference between TRUSTED_IF and IF_TRUSTS
>> and how do these get set up and used?
>> I have:
>> iPBX rc.conf.d # grep TRUST *
>> user.conf:TRUSTED_IF=""
>> user.conf:IF_TRUSTS="eth1 eth2"
>> iPBX rc.conf.d #
>> and I didn't set (any of) them by hand.
>>
>> PPS/FYI:
>> iPBX rc.conf.d # route -n
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>> 192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
>> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
>> 192.168.207.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
>> 224.0.0.0       0.0.0.0         240.0.0.0       U     0      0        0 eth2
>> 224.0.0.0       0.0.0.0         240.0.0.0       U     0      0        0 eth1
>> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
>> iPBX rc.conf.d #
>>
>> on my Windows PC (in french)
>> Itinéraires actifs :
>> Destination réseau    Masque réseau  Adr. passerelle   Adr. interface 
>> Métrique
>>          0.0.0.0          0.0.0.0    192.168.7.250   192.168.7.207       20
>>        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
>>      169.254.2.0    255.255.255.0      169.254.2.2     169.254.2.2       30
>>      169.254.2.2  255.255.255.255        127.0.0.1       127.0.0.1       30
>>  169.254.255.255  255.255.255.255      169.254.2.2     169.254.2.2       30
>>      192.168.7.0    255.255.255.0    192.168.7.207   192.168.7.207       20
>>    192.168.7.207  255.255.255.255        127.0.0.1       127.0.0.1       20
>>    192.168.7.255  255.255.255.255    192.168.7.207   192.168.7.207       20
>>        224.0.0.0        240.0.0.0      169.254.2.2     169.254.2.2       30
>>        224.0.0.0        240.0.0.0    192.168.7.207   192.168.7.207       20
>>  255.255.255.255  255.255.255.255      169.254.2.2               3       1
>>  255.255.255.255  255.255.255.255      169.254.2.2     169.254.2.2       1
>>  255.255.255.255  255.255.255.255    192.168.7.207   192.168.7.207       1
>> Passerelle par défaut :     192.168.7.250
>> ===========================================================================
>> Itinéraires persistants :
>>  Aucun
>>
>>
>> Lonnie Abelbeck wrote on 07/10/2010 00:22:
>>> Hi Graham,
>>>
>>> You have several options...
>>>
>>> 1) The web interface allows you to specify which LAN interfaces can talk to 
>>> each other
>>>
>>> 2) There is a ALLOWLANS AstLinux variable...
>>>
>>> ## Allow LAN to LAN traffic for internal interfaces, defaults to disallow
>>> ## Space separate "INTIF" for 1st, "INT2IF" for 2nd, and "INT3IF" for 3rd 
>>> Internal Interface
>>> ## Separate groups using a ~ (tilde)                                        
>>>                 
>>> #ALLOWLANS="INTIF INT2IF"
>>> #ALLOWLANS="INTIF INT2IF~INTIF INT3IF" # (INTIF <=> INT2IF talk and INTIF 
>>> <=> INT3IF talk, but *not* INT2IF <=> INT3IF)
>>> #ALLOWLANS="INTIF INT2IF INT3IF"
>>>
>>> 3) Use the IF_TRUSTS variable directly (which both above use)
>>>
>>> Lonnie
>>>
>>> PS: The INT_IF_TRUST variable went away in the AIF firewall some time ago, 
>>> replaced by the more powerful IF_TRUSTS.
>>>
> 
> 
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.
> 




------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] How to route between Internal Interfaces? [RESOLVED]

Reply via email to